We’ve had a 1st class concept of encrypted secrets configuration ever
since first releasing Pulumi. Customers have told us they love having
such a simple and easy way to ensure safe management of tokens, database
passwords, and more. Since launching, however, we’ve also heard that
you’d like more control over encryption and to see this protection
expanded to cover not just configuration, but all of the secret data
within their Pulumi deployments.
To support this, we’ve added two new features to Pulumi in our latest
0.17.12 release:
- Automatic tracking of secret values throughout a Pulumi program to
ensure that all such values are always encrypted in the resulting
state, no matter how they are used.
- A new option to use custom client-side encryption, instead of the
default of using the Pulumi backend for encryption, to have full
control over the secrets encryption and decryption.
Together, these features provide you with complete control over how
secrets are managed within Pulumi deployments. We have worked with
customers with advanced security and compliance needs while developing
this feature, enabling them to use our online hosted SaaS with even
greater confidence.
Read more →